POP3 (IMAP) before SMTP

sometimes also called SMTP-after-POP3 or SMTP-after-IMAP

Are you sure you want this?

POP-before-SMTP is generally considered a kludge, originally invented to make up for the lack of authentication in the original SMTP specification for clients on dynamic IP addresses. ESMTP resolved that shortcoming long ago, and all modern mail clients and servers support it by now. You should consider implementing ESMTP AUTH in your mail transport/submission agent, and using it in your clients, rather than using POP-before-SMTP. See also PostfixAndDovecotSASL or EximAndDovecotSASL.

Problems with POP-before-SMTP

Shared IP addresses are in widespread use. You are opening your server not only to your user, but to anyone else who might be sharing the same IP address, other users, other computers in the same NAT. If you lose the connection, the next one who is assigned your IP also inherits your relay permit. This might include virus-infected spambot machines. Or consider a public wireless hotspot or an Internet cafe: both types of establishments are known to be frequented by spammers.

Not properly implemented in all mail clients: it only works right if the client checks for new mail immediately before attempting to send. And it can be very unsafe if longer timeouts are used, such that the user has time to write an email.

Probably others. I (Rob McGee) just thought it was wrong to have a HOWTO page here without a warning about why not to. Know what you are doing. If you are setting up a new mail service from scratch, by all means, do it right!

Advantages of POP-before-SMTP over SMTP AUTH

Likely to be relatively easier to implement in your mail submission agent. What's easier is a matter of opinion, and it varies, of course, but probably all MTA/MSA servers support some form of access lists without patching or recompiling.

Simple non-technical instructions for users: "Remember to check for new mail before you try to send mail."

Pop-before-smtp.pl

If you want to use pop-before-smtp.pl (from http://popbsmtp.sourceforge.net/) together with Dovecot, you can use this regular expression to match successful POP3 and IMAP logins:

DRAC

The DRAC historical plugin for Dovecot 1.x, located here, doesn't work with Dovecot 2.x, since it relies on the "IP" environment variable, not set anymore by Dovecot 2.x

a more recent version of this plugin is available here: DRAC Plugin for Dovecot 2.x. The README file explains how to compile it. Change the path to your Dovecot 2.x source code into the Makefile to compile it.

DRAC runs as a separate daemon, maintaining a BerkeleyDB database of IPs that have successfully authenticated via POP3 or IMAP, expiring them after 30 minutes. Installing it therefore requires that both your POP3/IMAP server and your SMTP daemon (Postfix/Sendmail/qmail) be set up to support it. DRAC-PLUGIN.c is a small C program, and accessing BerkeleyDB databases is efficient so it works pretty well.

By following the instructions you will install a file drac_plugin.so in your dovecot lib/ directories for IMAP and/or POP3 loadable modules.

To turn on the new DRAC plugin in dovecot, you must set up these lines in your dovecot.conf. There is a separate section for 'protocol imap' and another under 'protocol pop3'; make sure you enable both.

Permissions note: the directory containing the drac_plugin.so file has to be readable by ordinary users. Check your Dovecot error log for help.

To get DRAC working on your machine, download the main DRAC daemon, edit the makefile as directed in the instructions, and make and install it. You will also want to ensure that you register the rpcs by executing rpcgen. See the Makefile for more details.

SQL

Advantage: you do not have a multi-megabyte Perl daemon reading your logs

Disadvantage: for each login you need the time and space to execute this script

tell your MTA to look up IPs authorized to relay in an SQL table

delete old IPs from the table regularly (cron job for example, or a modification to the script below)

Note that you must set up a script that deletes old IPs separately, and you also must configure your MTA properly. The script only performs the 'update on successful login' step, which alone is insecure without expiring older IPs! Add your working examples to this section. This Wiki depends on your help!

The substring call was necessary because $IP has '::ffff:' or something like that in front of the IP address on my system. The update followed by an insert, with the update in a transaction is necessary to replicate mysql's REPLACE INTO functionality. The INSERT will produce an error if the IP already exists but it doesn't matter as the UPDATE will have committed by then.

The 30 minute relay access period is handled by the INTERVAL in DATE_SUB. So it's safe anyway, but you should definitely run a cron job daily that deletes older records. That's to keep the table clean and speed up lookups. You might also need to run "OPTIMIZE TABLE" via the cron job to free up allocated space.

relay-ctrl

relay-ctrl consists of a few small programs designed to fit in qmail-like command chains. The most important:

relay-ctrl-allow runs after a successful POP/IMAP login, recording the client IP and timestamp

relay-ctrl-check runs before the SMTP server, enabling relaying if the client IP has authenticated recently

relay-ctrl-allow expects to find the client IP in the environment as $TCPREMOTEIP. Dovecot provides it as $IP, so you'll need this tiny dovecot-settcpremoteip wrapper script: